A lingering crime for all

For shadowy cybercriminals who find backdoor access to stores of personal data, the process of hijacking identities and pocketing stolen cash can be instantaneous. For institutions hit by cybertheft, however, discovering that a breach exists, finding the source and stopping the bleeding is usually a monthslong process of investigation that leaves the identities and bank accounts of those affected at the mercy of the thieves.

“Companies want to figure out exactly how a breach happened, but it’s not so simple,” said Charles Wood, Duquesne University assistant professor of information systems management. “Target found out there were problems after some of their customers had credit cards issued under their name in Eastern Europe. (Target) didn’t know how it happened until they launched an investigation and eventually found the vulnerability.”

Thousands of employees of the University of Pittsburgh Medical Center discovered the frustrating aftermath of cybercrime firsthand after a February data breach exposed their names, addresses, Social Security numbers and other W-2 information during the peak of tax season.

What UPMC officials said they initially believed was tax fraud involving a few dozen employees turned out to be an attack that affected approximately 27,000 employees, 788 of whom had false tax returns filed in their names. Last week, UPMC sent out paper and email notices to more than 12,000 employees telling them personal information from their W-2 forms was definitely extracted during the breach. The information of an additional 14,000 may have been viewed during the breach.

A lawsuit seeking class-action status on behalf of employees impacted by the breach was filed in February by Michael Kraemer of Pittsburgh law firm Kraemer, Manes &Associates LLC.

UPMC’s response of notifying all 62,000 hospital employees of the breach and offering professional services and reimbursement to individuals impacted falls in line with industry standards established during massive breaches at retailers Target, Neiman Marcus and, most recently, craft store Michael’s.

But with the scope of UPMC’s breach involving critical Social Security data rather than easily canceled credit card information, some employees are wondering if the company should have found a way to warn those who were directly impacted sooner.

According to Doug Pollack, chief strategy officer for Portland, Ore.-based data breach prevention and response company ID Experts, deciding between the earliest possible notification of those directly affected and blanket notification of all who potentially could be impacted is a tough call.

“It can become a judgment call between speed vs. accuracy,” Pollack said. “It took some time to understand the total scope of the population affected, so that sacrificed immediate notification and might have caused employees to go through troubling issues they could have avoided if they had known sooner.”

On the other hand, Pollack said, the opposite approach of informing victims immediately after discovering data were stolen could have caused panic among thousands of employees who still are waiting on a final verdict regarding the safety of their personal information.

“Most practitioners would prefer not to do creeping notification,” he said. “Best practices tend to be to do enough analysis to understand what happened, then make a judgment call about who to notify. Out of an abundance of caution, most want to notify as broad an audience as they can so they can take steps to protect themselves, whether they are affected or not.”

With or without early notification, affected employees must initiate a relationship with the IRS that begins with identity theft forms and continues for years with an identity theft PIN used to confirm that future tax filings are made by the right person.

Beyond taxes, Pollack said, victims must be on constant guard of bank accounts and credit reports for the foreseeable future to ensure their personal information isn’t funding someone else’s mortgage or luxury vacation.

For corporations hoping to avoid similar attacks, Duquesne’s Wood said old-school paper storage could be the best solution for personal data because it isn’t a question of if a copycat cyberattack will occur; it’s a question of when.

More in Herald Business Journal

Tulalips break ground on new Quil Ceda Creek Casino Hotel

A 150-room hotel was added to what is now a $140 million complex expected to open in spring 2019.

For modern women, 98-year-old rejection letters still sting

In a stark new video, female Boeing engineers break the silence about past inopportunity.

Teddy, an English bulldog, models Zentek Clothing’s heat regulating dog jacket. (Ian Terry / The Herald)
Everett clothing company keeps your dog cool and stylish

Zentek uses space-age fabrics to moderate the temperature of pets and now humans.

Providence Hospital in Everett at sunset Monday night. Officials Providence St. Joseph Health Ascension Health reportedly are discussing a merger that would create a chain of hospitals, including Providence Regional Medical Center Everett, plus clinics and medical care centers in 26 states spanning both coasts. (Kevin Clark / The Daily Herald)
Merger would make Providence part of health care behemoth

Providence St. Joseph Health and Ascension Health are said to be talking. Swedish would also be affected.

Boeing raises dividend 20%, continues stock buyback program

The manufacturer said it has repurchased $9.2 billion worth of its shares this year.

Trudeau snubs Boeing, unveils plan to buy used Aussie jets

Trudeau will be assessing the impact fighter jet contracts have on his country’s economy.

Everett engineers learn lessons from Mexico City catastrophe

Structural scientists went to help after the September earthquake there and studied the damage.

Hospital companies merge as insurers encroach on their turf

An anticipated deal between Providence St. Joseph Health and Ascension is only the latest.

Ex-Facebook VP: Social media is destroying society

“In the back, deep, deep recesses of our minds, we kind of knew something bad could happen.”

Most Read